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REMARKS 

Applicants thank the Patent Office for acknowledging Applicants' claim to foreign 
priority. Applicants respectfully request that the Patent Office indicate that the certified copy of 
the priority document, European Patent Application No. 0044019.6 dated June 30, 2000, has 
been made of record in the file. 

Applicants thank the Patent Office for initialing the references listed on the PTO/SB/08 A 
& B form submitted with the Information Disclosure Statement filed on April 15, 2004 and 
returning an initialed copy of the PTO/SB/08 A & B form, thereby confirming that the listed 
references have been considered. 

Applicants thank the Patent Office for initialing the references listed on the PTO-1449 
form submitted with the Information Disclosure Statement filed on June 27, 2001 and returning 
an initialed copy of the PTO-1449 form, thereby confirming that the listed references have been 
considered. 

Applicants herein amend the Abstract of the Disclosure to conform to U.S. practice. No 
new matter has been added. Entry of the amended Abstract is respectfully requested. 

Applicants herein editorially amend claims 1-9 to correct awkward language, to remove 
antecedent basis errors and to conform the claims to U.S. practice. The amendments to claims 1- 
9 were not made for reasons of patentability, do not narrow the literal scope of the claims and do 
not implicate an estoppel in the application of the doctrine of equivalents. 
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Applicants herein add new claims 10-13. Support for new claims 10-13 can be found, for 
example, in the originally filed claims. Entry and consideration of the new claims 10-13 is 
respectfully requested. 

Claims 1-13 are all the claims presently pending in the application. 

1. Claims 1-9 stand rejected under 35 U.S.C. § 103(a) as allegedly being unpatentable over 
Poisson et al (U.S. Patent No. 6,765,591) in view of Provino (U.S. Patent No. 6,557,037). 
Applicants traverse the rejection of claims 1-9, and insofar as the rejection might apply to new 
claims 10-13, for at least the reasons discussed below. 

The burden of establishing that a claimed invention is prima facie obvious rests on the 
USPTO. In rePiasecki, 745 F.2d 1468, 1472, 223 U.S.P.Q. 785, 788 (Fed. Cir. 1984). To make 
its prima facie case of obviousness, the USPTO must satisfy three requirements: 

a) The prior art relied upon, coupled with the knowledge generally available in the art at 
the time of the invention, must contain some suggestion or incentive that would have 
motivated the artisan to modify a reference or to combine references. In re Fine, 837 
F.2d 1071, 1074, 5 U.S.P.Q.2d 1596, 1598 (Fed. Cir. 1988). 

b) The proposed modification of the prior art must have had a reasonable expectation of 
success, as determined from the vantage point of the artisan at the time the invention 
was made. Amgen, Inc. v. ChugaiPharm. Co., 927 F.2d 1200, 1208, 18 U.S.P.Q.2d 
1016, 1022-23 (Fed. Cir. 1991). 

c) The prior art reference or combination of references must teach or suggest all the 
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limitations of the claims. In re Vaeck, 947 F.2d 488, 493, 20 U.S.P.Q.2d 1438, 1442 
(Fed. Cir. 1991); In re Wilson, 424 F.2d 1382, 1385, 165 U.S.P.Q. 494, 496 (CCPA 
1970). 

The motivation, suggestion or teaching may come explicitly from statements in the prior 
art, the knowledge of one of ordinary skill in the art, or, the nature of a problem to be solved. In 
re Dembiczak, 175 F.3d 994, 999, 50 U.S.P.Q.2d 1614, 1617 (Fed. Cir. 1999). Alternatively, the 
motivation may be implicit from the prior art as a whole, rather than expressly stated. Id. 
Regardless of whether the USPTO relies on an express or an implicit showing of motivation, the 
USPTO is obligated to provide particular findings related to its conclusion, and those findings 
must be clear and particular. Id. A broad conclusionary statement, standing alone without 
support, is not "evidence." Id; see also, In re Zurko, 258 F.3d 1379, 1386, 59 U.S.P.Q.2d 1693, 
1697-98 (Fed. Cir. 2001). 

In addition, a rejection cannot be predicated on the mere identification of individual 
components of claimed limitations. In reKotzab, 217 F.3d 1365, 1371, 55 U.S.P.Q.2d 1313, 
1317 (Fed. Cir. 2000). Rather, particular findings must be made as to the reason the skilled 
artisan, with no knowledge of the claimed invention, would have selected these components for 
combination in the manner claimed. Id. Even when obviousness is based on a single prior art 
reference, there must be a showing of a suggestion or motivation to modify the teachings of that 
reference. In reKotzab, 217 F.3d 1365, 1370, 55 U.S.P.Q.2d at 1316-1317 (citingB.F. 
Goodrich Co. v. Aircraft Braking Sys. Corp., 72 F.3d 1577, 1582, 37 U.S.P.Q.2d 1314, 1318 
(Fed. Cir. 1996)); see also, Ex parte Clapp, 227 U.S.P.Q. 972, 973 (B. Pat. App. & Inter. 1985)) 
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("To support the conclusion that the claimed invention is directed to obvious subject matter, 
either the references must expressly or impliedly suggest the claimed invention or the examiner 
must present a convincing line of reasoning as to why the artisan would have found the claimed 
invention to have been obvious in light of the teachings of the references."). 

The Patent Office acknowledges that Poisson et al. fail to teach or suggest connecting to 
a device outside of a virtual private network (VPN) via a logical tunnel. The Patent Office 
asserts, however, that Provino discloses, inter alia, forwarding a message to a communications 
device over a logical channel between a network access server and the communications device. 

The combination of Poisson et al. and Provino fails to teach or suggest at least a method 
of sending messages between a user and a communication device over a logical channel between 
a network access server and a communication device, wherein the logical channel refers to an 
identifier of a host Virtual Private Network to which the user is currently connected, as recited in 
claim 1. At best, the combination of Poisson et al. and Provino discloses a method of connecting 
to a firewall-protected virtual private network. There is no teaching or suggestion in the 
combination of Poisson et al and Provino of a user connecting to another communications 
device that is outside of a virtual private network (to which the user is already connected) and 
using an identifier of the connected-to virtual private network to facilitate a logical channel for 
sending messages to and receiving messages from the communications device. The portion of 
Provino cited by the Patent Office (col. 9, lines 46-60) as allegedly disclosing the use of a 
connected-to VPN identifier for a logical channel is directed to the establishment of a secure 
tunnel between a device and a firewall. There is no disclosure in the cited passage, however, of 
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using a VPN identifier for establishing communications with another device through a logical 
channel. Thus, Applicants submit that the Patent Office cannot fulfill the "all limitations" prong 
of a prima facie case of obviousness, as required by In re Vaeck. 

Applicants submit that one of skill in the art would not be motivated to combine the two 
references. In re Dembiczak and In re Zurko require the Patent Office to provide particularized 
facts on the record as to why one of skill would be motivated to combine the two references. 
Without a motivation to combine, a rejection based on a prima facie case of obviousness is 
improper. In re Rouffet, 149 F.3d 1350, 1357 (Fed. Cir. 1998)). The level of skill in the art 
cannot be relied upon to provide the suggestion to combine references. Al-Site Corp. v. VSIInt'l 
Inc., 174 F.3d 1308 (Fed. Cir. 1999). The Patent Office must make specific factual findings with 
respect to the motivation to combine references. In re Lee, 277 F.3d 1338, 1342-44 (Fed. Cir. 
2002). Although the Patent Office provides a rudimentary motivation analysis with respect to 
messaging over logical channels, both Poisson et al and Provino lack any teaching about the 
desirability of sending messages between a user and a communication device over a logical 
channel between a network access server and a communication device, wherein the logical 
channel refers to an identifier of a host Virtual Private Network to which the user is currently 
connected. Applicants submit that the Patent Office cannot fulfill the motivation prong of a 
prima facie case of obviousness, as required by In re Dembiczak and In re Zurko. 

Based on the foregoing reasons, Applicants submit that the combination of Poisson et al 
and Provino fails to disclose all of the claimed elements as arranged in claim 1. Therefore, the 
combination of Poisson et al. and Provino clearly cannot render the present invention obvious as 
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recited in claim 1 . Thus, Applicants submit that claim 1 is allowable, and further submit that 
claims 2-7 are allowable as well, at least by virtue of their dependency from claim 1. Applicants 
respectfully request that the Patent Office withdraw the § 103(a) rejection of claims 1-7, 

With respect to claim 8, Applicants submit that claim 8 is allowable for at least reasons 
analogous to those discussed above with respect to claim 1, in that the combination of Poisson et 
al. and Provino fails to teach or suggest a network access server that sends messages between a 
user and a communication device over a logical channel between the network access service and 
the communication device, wherein the logical channel refers to an identifier of a host Virtual 
Private Network to which the user is currently connected. Thus, Applicants submit that claim 8 
is allowable, and respectfully request that the Patent Office withdraw the § 103(a) rejection of 
claim 8. 

With respect to claim 9, Applicants submit that claim 8 is allowable for at least reasons 
analogous to those discussed above with respect to claim 1, in that the combination of Poisson et 
al and Provino fails to teach or suggest at least a logical channel controller that receives 
messages sent from a communication device to a user over a logical channel between a network 
access service and the communication device, wherein the logical channel controller uses the 
logical channel (which refers to an identifier of a host Virtual Private Network to which the user 
is currently connected) to route the message to the user. Thus, Applicants submit that claim 9 is 
allowable, and respectfully request that the Patent Office withdraw the § 103(a) rejection of 
claim 9. 
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With respect to new claims 10 and 11, Applicants submit that claims 10 and 1 1 allowable 
for at least reasons analogous to those discussed above with respect to claim 1, in that the 
combination of Poisson et al and Pro vino fails to teach or suggest a forwarding engine that 
sends messages between a user and a communication device over a logical channel between a 
network access service and the communication device, wherein the logical channel refers to an 
identifier of a host Virtual Private Network to which the user is currently connected. Thus, 
Applicants submit that claims 10 and 1 1 are allowable. 

With respect to new claims 12 and 13, Applicants submit that claims 12 and 13 are 
allowable for at least reasons analogous to those discussed above with respect to claim 1, in that 
the combination of Poisson et al and Pro vino fails to teach or suggest at least a logical channel 
controller that receives messages sent from a communication device to a user over a logical 
channel between a network access service and the communication device, wherein the logical 
channel controller uses the logical channel (which refers to an identifier of a host Virtual Private 
Network to which the user is currently connected) to route the message to the user. Thus, 
Applicants submit that claims 12 and 13 are allowable. 

In view of the above, reconsideration and allowance of this application are now believed 
to be in order, and such actions are hereby solicited. If any points remain in issue which the 
Examiner feels may be best resolved through a personal or telephone interview, the Examiner is 
kindly requested to contact the undersigned at the telephone number listed below. 
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The USPTO is directed and authorized to charge all required fees, except for the Issue 
Fee and the Publication Fee, to Deposit Account No. 19-4880. Please also credit any 
overpayments to said Deposit Account. 



Respectfully submitted, 



SUGHRUE MION, PLLC 
Telephone: (202) 293-7060 
Facsimile: (202) 293-7860 




WASHINGTON OFFICE 



23373 



CUSTOMER NUMBER 



Date: November 2, 2004 



17 



AMENDMENT UNDER 37 C.F.R. §1.111 
U.S. APPLN. NO. 09/891,545 
ATTORNEY DOCKET NO. Q64735 



AMENDMENTS TO THE DRAWINGS 

Applicants herein amend Figure 2 of the drawings to add legends and connector lines to 
reference numerals. No new matter has been added to the Drawing. 
Attachment: One (1) Annotated Marked-Up Drawing 
One (1) Replacement Sheet 
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Fig 2 
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A Method For Enabling A User Already Connected To A Virtual Private 
Network To Communicate With A Communication Device Not Belonging To 

This Virtual Private Network And Corresponding Network Access Server 

Background of the Invention 
[0001] The present invention relates to data communication systems and 
more particularly to an access method implemented in a network access server for 
enabling end-users to access the core network. 

[0002] The framework of this invention concerns the way individuals and 
companies are given access to interconnected data communication networks. 
Interconnected data communication networks consist for example of the public 
Internet and of a plurality of virtual private networks (VPN) operated by third 
parties. These third^party VPNs may be corporate intranets to which external 
access is severely controlled, for example, by firewalls. For example, external 
Ext e rnal access to a third^party VPN has how e v e r to be permitted for example for 
employees on travel to be able to access the corporate intranet by means of 
laptops lap tops wherever they are located or for home-working. This kind of 
external access acc e sses to third^party VPNs is_aFe-usually provided by an access 
service provider owning a Network Access Server (NAS). 
[0003] Several value-added services[[,]] proposed by access service 
providers[[,]] require that an end-user, while being connected to a.OHe-thirdjarty 
VPN over a NAS, can simultaneously access to a local service network, called 
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local VPN, associated to the NAS and usually operated by the access service 
provider, without disconnecting from the thirdjarty VPN. 
[0004] An issue related to this kind of simultaneous access is due to 
addressing schemes. Heterogeneous interconnected networks are harmonized by 
all supporting the internet protocol IP or any of its variations. Usually and 
because of the restricted number of EP addresses available for an access service 
provider, the NAS uses overlapping address pools for different VPNs. 
Consequently, As a cons e qu e nc e , two users connected to two different third z party 
VPNs over the same NAS may have been attributed the same IP address. Thanks 
to the IP address and the identity of the VPN from which a message has been sent, 
the NAS can unequivocally univocallv distinguish the two users having the same 
IP address. 

[0005] This becomes a problem if one of these users wants to be 
simultaneously connected to one identical further communication device without 
releasing the connection to its corresponding thirdjarty VPN. Such a 
communication device may be a server belonging to a VPN, called local VPN, 
associated to the NAS and owned by the access service provider. In that case, the 
NAS is no more able to distinguish them since both have the same IP address and 
get messages from the same local VPN. 

[0006] A common method for solving this problem consists in introducing a 
network address translation (NAT) in the NAS. In this approach, the IP address 
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of the user is translated in the NAS itself, such that for communication towards 
servers of the local VPN, each user appears to have a unique IP address. This 
approach has a number of important drawbacks: first of all a it puts a heavy load on 
the NAS, since each IP packet flowing between the user and the local VPN has to 
be translated and as a consequence to be modified. Recent variations of the IP 
protocol, such as IPsec, rely on the fact that packets should not be altered between 
the end-points, while NAT does alter them. Consequently, As a cons e qu e nc e , this 
solution imposes some restrictions on the protocols that can be used, and hence on 
the services that can be offered. 

[0007] Another A anoth e r method of solving this problem consists in 
allocating multiple TP addresses to the user. Depending on whether a_an-given 
application is associated with a thirdjarty VPN or with the services in the local 
VPN, the application will use a different IP address to send its packets. This 
solution assumes that there is a well-controlled mechanism to specify for each 
application which IP address it has to use at a given point in time. This is 
extremely difficult to guarantee in case the same application is used to access 
subsequently services in different VPNs, e.g. a if the user is browsing from a URL 
in VPN 1 to a URL in VPN 2. In other words, the solution is extremely complex 
to realize, since typically the access service provider has no control over the 
applications and protocol stacks running on the user terminal. 
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[0008] A particular aspect e biee^of the present invention is to provide a 
method that remains transparent for the end-user^ since none of them need to. care 
about mechanism for distinguishing between several IP addresses. 
[0009] Another aspect ebieet-of the invention is to provide a method that 
does not too much overload the NAS. 

Summary of the Invention 
[0010] These aspects obi e cts , and others that appear below, are achieved by 
a method for enabling a user registered in an NAS as already connected to a VPN, 
called host VPN, to communicate with at least a communication device not 
belonging to the host VPN, the NAS having access over a data communication 
network to the communication device and to a plurality of VPNs. The method 
comprises a step of sending messages belonging to a communication between the 
user and the communication device over a logical channel between the NAS and 
the communication device, the logical channel referring to an identifier of the host 
VPN. 

[001 1] This method has the advantage that it does not require IP packet 
alteration. 

[0012] The present invention also concerns a Network Access Server for 
enabling a communication between a user and a communication device, the user 
being registered in the Network Access Server as already connected to a Virtual 
Private Network, called host Virtual Private Network, the communication device 
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being outside of the host Virtual Private Network, the Network Access Server 
being able to access to a database associating an identifier of the user to an 
identifier of the host Virtual Private Network. The Network Access Server 
further comprises means for sending messages originating from the user and 
destined to the communication device on a logical channel between the Network 
Access Server and the communication device, the logical channel referring to the 
identifier of the host Virtual Private Network. 

[0013] The present invention concerns also a Network Access Server for 
unequivocally univocallv retrieving a user, out of a plurality of users, to which a 
message sent by a communication device and received at the Network Access 
Server is destined, the user being already connected over the Network access 
server to a Virtual Private Network not comprising the communication device, the 
Network Access Server being able to access to a database associating an identifier 
of the user to an identifier of the Virtual Private Network to which the user is 
already connected, wherein the Network Access Server comprises^ 
[0014] a logical channel controller for determining a logical channel 
identifier of one logical channel on which said message is received at said 
Network Access server; 

[0015] means for retrieving the user to which said message is destined, 
according to said logical channel identifier and said user entry in said database. 
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This invention is based on a priority application EP 00 44 0195 which is hereby 
incorporated by reference. 

Brief Description of the Drawings 
[0016] Other characteristics and advantages of the invention will appear on 
reading the following description of a preferred implementation given by way of 
non-limiting illustrations, and from the accompanying drawings, in which: 
[0017] FIG, Ftgwe-1 shows a physical architecture of interconnected data 
communication networks where the present invention can be applied; 
[0018] FIG, fi gtife-2 shows an embodiment of a NAS according to the 
present invention. 

Detailed Description of the Invention 
[0019] FIG, shows a physical architecture of interconnected data 

communication networks comprising several VPNs 151, 152, 153 and access 
networks 121, 122 interconnected though a core network 14, for example the 
public Internet or leased lines. 

[0020] End-users 111, 112, 113, 114 111 11 4 are connected over access 

networks 121, 122 to NASs 131, 132. NASs 131, 132 enable the access of end- 
users 111, 112, 113, 114 111 11 4 to the core network 14 and to the 

interconnected data communication networks 151, 152, 153 151 153 . Some 

servers 161, 162, 163, 164 161 161 belonging to the different VPN 151, 152, 

153 151 153 are represented in FIG. 1 on th e figur e by way of example. 
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Servers 161 and 162 belong b eiengs-to VPN 151, server 163 belongs t o VPN 152 
and server 164 belongs to VPN 153. These servers contain VPN specific 
information and preferably support features like authentication or authorization. 
[0021] VPN 151 plays a privileged role in that it is preferably associated to 
NAS 131 and called local VPN in the following. For example, the NAS A as well 
as the local VPN^ are owned by a single access service provider. This is however 
not a requirement of the invention. VPN 152 and 153 are preferably third^party 
VPNs, V PN-for example^ corporate intranets. 

[0022] Local VPN 151 may be interconnected to core network 14 as 
represented in FIG. I on th e figur e. Alternatively, local VPN 151 can also be 
directly connected to NAS 131. Several different NAS 131, 132 can be 
associated to the same local VPN 151. 

[0023] Access networks 121 and 122 may be usual telephone networks like 
PSTN or ISDN or cable networks as well as radio networks. 
[0024] If access networks 131, 132 are usual telephone networks, NASs 131, 
132 comprise analog modems to terminate PSTN analog connections. In case of 
an ISDN digital connection, the signal does not need net-to be demodulated. 
NASs 131, 132 also comprise a router function and a gateway to the core network. 
[0025] In the description below, an example will be used to illustrate the 
invention. In this example, it is assumed that user 111 communicates with server 
163 belonging to VPN 152. This communication takes place over NAS 131. It is 



also assumed that user 112 communicates with server 164 belonging to VPN 153. 
This communication also takes place over NAS 131. 

[0026] Preferably, we consider a situation where a connection is currently 
established between user 111 and VPN 152 as well as between user 112 and VPN 
153. These connections are preferably realized as PPP (Point to Point Protocol) 
connections between users 111, r e sp e ctiv e ly 1 12, and NAS 131, resp e ctively 132, 
in combination with appropriate routing table settings in NAS 131 , r e sp e ctiv e ly 
4-33. Any other type of connections usually used in an access network may also 
be considered. 

[0027] During connection set up, an IP address is allocated to the user 
requiring the connection and for the connection duration. During the connection 
set up, each user 111, 112 also indicates to the NAS 131 to which VPN it wants to 
connect. 

[0028] As NAS 131 usually has a limited pool of IP addresses at its disposal, 
a single EP may be allocated to different users connected at the same time to NAS 
13 1 on the condition that the users want to be connected to different VPN. To 
this extentextend, the IP address alone does not unequivocally identify univocallv 
id e ntifi e s the user. Consequently, As a cons e quenc e , only the association of the 
VPN to which a user is connected and its IP address unequivocally univocallv 
identify the user at the NAS. In this example, it is assumed that user 111 and user 
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1 12 are allocated the same IP address by the NAS 131 during the connection 
setup. 

[0029] This complies with the above remark since both want to connect to 
different VPNs. 

[0030] During connection setup, NAS 131 fills in a table comprising 
information related to connections to be established between users 111, 112 
attached to NAS 131 and VPNs 152, 153. This information is held in the table for 
the whole duration of a connection. An entry of this table comprises preferably 
pr e f e rrably a user identification specific to access network 121 (e.g.^ a calling 
number), the IP address allocated to that user and a VPN identifier indicating to 
which VPN that user is currently connected. 

[0031] Assuming Assum e d that in parallel to the already established 
connections, user 111 want to communicate simultaneously with server 161 
located in local VPN 151 without releasing its connection to VPN 152. A 
message destined to server 161 comprising the source address of user 1 1 1 as well 
as the destination IP address of server 161 is sent to NAS 131. NAS 131 detects 
that, although user 1 1 1 is already connected to VPN 152, the message containing 
the destination IP address of server 161 should be directed toward VPN 151. 
[0032] Assuming Assum e d that server 161 were to answer to this message 
with an answer message directed to user 1 1 1. the server 161 & -would build an IP 
message containing as destination address the IP address of user 111 found in the 
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received message. Upon reception of this answer message the NAS 131 will not 
be able to identify univocally that this answer message is destined to user 111 
since user 112 also has the same IP address. 

[0033] According to the invention, as soon as NAS 131 detects that a 
message is destined to a server 161 not belonging to the VPN 152 to which user 
1 1 1 is registered as already connected, the message is directed on a logical 
channel having, as logical channel identifier, the identifier of VPN 152 to which 
user 1 1 1 is registered as already connected. 

[0034] The principle of logical channels as such are generally known by 
those skilled in the art and are realized by means of several techniques. 
[0035] The realization of logical channel between the NAS 131 and VPN 
151 may be, for example, done by means of encapsulation. The NAS 131 should 
encapsulate each message destined to server 161 in a packet the header part of 
which containing an identifier of the VPN to which the user 1 1 1 is registered as 
already connected. A particular form of encapsulation, called tunneling, may also 
be used. One principle of tunneling is to encapsulate a protocol data 
corresponding to a certain layer in the OSI communication model in another 
protocol data corresponding to the same layer in the OSI communication model. 
This is advantageous in heterogeneous networks for privacy and security matters. 
[0036] In case server 161 has to answer to a message sent by user 111 and 
received over a logical channel having an identifier of VPN 152 as logical 
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channel identifier, server 161 sends back the answer message over the same 
logical channel. Upon reception of the answer message at the NAS 131, the latter 
identifies the logical channel identifier of the logical channel on which the 
message has been received and extracts the message from the logical channel. 
NAS 131 can unequivocally u nivocallv identify to which user the answer message 
is destined since it has access to the DP address contained in the answer message 
as well as to the identifier of the VPN to which the user is already connected. 
With this coupl e of information^ the NAS is able to identify univocally user 111. 
[0037] An advantage of this method is that it is transparent for the end-users. 
[0038] FIG. F iguFe-2 shows an embodiment of a NAS according to the 
present invention. The NAS 20 comprises a forwarding engine 21, a logical 
channel controller 22, a routing part 23 and a table 24. NAS 20 comprises also 
three interfaces. A first interface 201 to access network and users, a second 
interface 202 to a local VPN (local VPN 151 shown on FIG, figure-1) and a third 
interface 203 to third r party VPNs (VPN 152 and 153 shown in FIG, on figure 1). 
[0039] First interface 201 is connected to forwarding engine 21 which is in 
turn connected to logical channel controller 22 as well as to routing part 23. 
Logical channel controller 22 is connected to second interface 202 and routing 
part is connected to third interface 203. Logical channel controller 22 as well as 
routing part 23 can access to table 24. Table 24 is a database comprising entries 
registering the already established connections between a user, and a_^-third z 
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party VPN. Each entry comprises an identification of the user specific to the 
access network to which this user is connected, the IP address of this user and an 
identifier of the third^party VPN to which the user is connected. Other 
information may also be available in each entry. 

[0040] Upon reception of a message on the first interface 200, forwarding 
engine 21 checks if this message is destined to the local VPN or to a third^party 
VPN to which the user is already connected. This check is done by analyzing the 
destination IP address contained in the message. 

[0041] If the message is destined to a third z party VPN. The message is 
transparently conveyed to routing part 23 and sent over third interface 202. 
[0042] If the message is destined to the local VPN, the message is 
transmitted to logical channel controller 22. Logical channel controller 22 checks 
the source IP address contained in the message and searches in table 24 if this 
user is already connected to a third^arty VPN. If this is the case, it extracts the 
thirdjsarty VPN identifier to which the user is already connected. Logical 
channel controller 22 then directs the message on a logical channel having as 
logical channel identifier the third^arty VPN identifier or any identifier 
unequivocally univocally derived thereof If the user is not connected to any VPN, 
a default reserved logical channel identifier is used to send the message to the 
local VPN. 
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[0043] Upon reception of a message on the second interface 201 , logical 
channel controller 22 is responsible of finding to which VPN, if any, the user to 
which this message is destined is already connected to. For this purpose, logical 
channel controller 22 extracts the logical channel identifier of the channel on 
which the message has been received over interface 202. The VPN identifier may 
be identical to the logical channel identifier or unequivocally univocallv deduced 
thereof by means of an association table not represented in FIG, on figur e 2. 
[0044] Logical channel controller 22 also extracts the destination IP address 
contained in the message. Then, logical channel controller 22 searches in table 24 
the user corresponding to the IP address and the VPN identifier. This 
unequivocally identifies univocally the user to which the message has to be 
transmitted. The message is then transmitted to forwarding engine 21 a which 
sends the message on the first interface 200 to the identified user. 
[0045] Alternatively to the embodiment described above, table 24 may not 
be contained in NAS 20. Table 24 may be stand alone and accessible by NAS 20 
but also by other modules located out of the NAS, in particular modules residing 
on a server in the local VPN. Table 24 may also be shared by different NASes. 
[0046] In another embodiment of the invention, it can be envisaged that two 
separate NASes treat separately the reception of a message on the first interface 
200 and the reception of a message on the second interface 201. 
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